從攔封包到 App逆向 (進階課程)

# 從攔封包到 App逆向(進階課程) --- 首先下載[夜神模擬器](https://tw.bignox.com/) ![](https://i.imgur.com/KPIVTC1.png) --- 安裝 ![](https://i.imgur.com/JMsVw0v.png) --- ![](https://i.imgur.com/bsdOMnw.png) --- ![](https://i.imgur.com/FhPMaCv.png) --- ![](https://i.imgur.com/Utsl4ME.png) --- 安著 6.0以後有更改一些政策請用 5.0模擬 https://tw.bignox.com/blog/multidrive2/ --- # 接下來安裝 Burp [攔封包軟體](https://portswigger.net/burp/communitydownload) ![](https://i.imgur.com/U7KJlgi.png) --- ![](https://i.imgur.com/b0ATo7G.png) --- ![](https://i.imgur.com/qX1Su5Q.png) --- ![](https://i.imgur.com/0xo4Qr4.png) --- ![](https://i.imgur.com/BNukNSu.png) --- ![](https://i.imgur.com/E8HDsJq.png) --- 進入 proxy -> options 按add ![](https://i.imgur.com/jdVYJCr.png) --- 今天我們要解的app 是他 [先下載apk](https://tw.apksum.com/download/com.itcode.reader_5.0.7_free) ![](https://i.imgur.com/4TxVD9A.png) --- ![](https://i.imgur.com/aJ9xBOv.png) --- ![](https://i.imgur.com/fO34HfH.png) --- # 設定proxy 進設定 ![](https://i.imgur.com/RxdVA83.png) --- 選 wifi ![](https://i.imgur.com/MJeaajZ.png) --- - 長按 wifi名稱 ![](https://i.imgur.com/DbWcW99.png) --- - 選修改網路進階選項 ![](https://i.imgur.com/H7D580U.png) --- - 輸入電腦ip ![](https://i.imgur.com/l808uhD.png) --- # 查看burp是否有東西選 proxy intercept 第三個按鈕要是off ![](https://i.imgur.com/izS1zL7.png) --- 點到 HTTP history 看是否有東西 ![](https://i.imgur.com/Z37Zsln.png) --- # 灌憑證 https --- 開啟網頁輸入 `http://burp` ![](https://i.imgur.com/Lit4Gpd.png) --- 右下角下載 ![](https://i.imgur.com/qQY8wnU.png) --- 下載的憑證要先改名 ![](https://i.imgur.com/yDgKavW.png) --- ![](https://i.imgur.com/QkwHLa9.png) --- ![](https://i.imgur.com/C7At79f.png) --- 改成 `.cer` ![](https://i.imgur.com/Metf9lC.png) --- 回到設定 -> 安全性 ![](https://i.imgur.com/EbI3joE.png) --- 從SD卡安裝 ![](https://i.imgur.com/VuPJnWt.png) --- 選擇下載 ![](https://i.imgur.com/iL2lkMA.png) --- 你剛剛的檔案 ![](https://i.imgur.com/Fah2Ud3.png) --- 名稱隨便取用途不用改 ![](https://i.imgur.com/Oo7CeM4.png) --- 設定密碼自己設定 ![](https://i.imgur.com/12J71eL.png) --- 成功安裝 ![](https://i.imgur.com/opTfin4.png) --- 打開我們要拆的app ![](https://i.imgur.com/uEIlsbs.png) --- 查看攔到的封包 ![](https://i.imgur.com/h1q1VS1.png) --- 看到資料是被加密的 ![](https://i.imgur.com/mHPCbB2.png) --- 但回傳是正常的 ![](https://i.imgur.com/T7Bo9kN.png) --- # 逆向開始 --- ## jadx [下載](https://github.com/skylot/jadx) --- ![](https://i.imgur.com/FEnPfQc.png) --- ![](https://i.imgur.com/A98GsDq.png) --- ### Mac開啟請開這檔案 `lib/jadx-gui-0.9.0.jar` ![](https://i.imgur.com/7uS0P4T.png) --- ## 打開 manman[下載處](https://tw.apksum.com/download/com.itcode.reader_5.0.7_free) ![](https://i.imgur.com/Jp6EKmm.png) --- 打開長這樣 ![](https://i.imgur.com/xrqGezM.png) --- ## 按下搜尋 ![](https://i.imgur.com/ToDp1LW.png) --- ## 等他反組譯 ![](https://i.imgur.com/3U9qZoY.png) --- ## 開始搜尋編碼封包看起來是base64 code 要打勾 ![](https://i.imgur.com/Ag8XJCk.png) --- ## 看到前面是安著的通常是內建直接無視 ![](https://i.imgur.com/3d0KyLW.png) --- ## 看了一陣子會發現底下應該是他們自訂的函數 ![](https://i.imgur.com/AqKVvr9.png) --- - 再翻一下會發現這應該是處理網路請求的地方 ![](https://i.imgur.com/Kb00iBF.png) --- - 打開來發現他在900行時候丟回了一個base64 ![](https://i.imgur.com/Vr05rwl.png) --- - 在往上追發現他把某個東西編成json ![](https://i.imgur.com/HXJCoCQ.png) --- - 然後好像把json 轉乘Byte ![](https://i.imgur.com/6tYpgcW.png) --- - 然後再用每個Byte去做加減 ![](https://i.imgur.com/2Wu2BoT.png) --- # Proof - 把整段code 複製下來試著把它做的事情相反做一遍 ```java= byte[] bytes = stringBuilder.toString().getBytes();//把一個字串轉乘Byte char[] cArr = new char[bytes.length]; //宣告一個新字串大小為原本字串的大小 for (int i = 0; i < bytes.length; i++) { cArr[i] = (char) (bytes[i] & 255); //把每個Byte轉回字元並存入剛剛新建的字串 } /// 總之上面那五行做的事情就是把字串轉存到另一個字串 /// 所以有做=沒做 int[] iArr = new int[cArr.length]; int i2 = 0; int i3 = 1; for (int i4 = 0; i4 < cArr.length; i4++) { int i5 = i4 % 5; if (i5 == 0) { i3 = i2 % 2 == 0 ? 1 : -1; // 如果 i2%2 ==0 i3 = 1 不然i3 = -1 i2++; } if (cArr[i4] >= 127) { iArr[i4] = cArr[i4] - 125; } else { iArr[i4] = (cArr[i4] + 110) + ((i5 + 1) * i3); } } return convertToBase64(iArr); ``` --- ## 咱們開始寫相反的函數 ---- ```java= public static String decode(String dd) { byte[] decodedString = Base64.getDecoder().decode(dd); byte[] bytes = decodedString; char[] cArr = new char[bytes.length]; for (int i = 0; i < bytes.length; i++) { cArr[i] = (char)(bytes[i] & 255); //有座跟沒做一樣不知道在幹嘛總之被cp到cArr } int[] iArr = new int[cArr.length]; String last = new String(); int i2 = 0; int i3 = 1; for (int i4 = 0; i4 < cArr.length; i4++) { int i5 = i4 % 5; if (i5 == 0) { //每五次 i3正負換一次 i3 = i2 % 2 == 0 ? 1 : -1; i2++; } int a = cArr[i4] + 125; int b = (cArr[i4] - 110) - ((i5 + 1) * i3); if (b >= 127) { iArr[i4] = a; } else { iArr[i4] = b; //i3每五次 i3正負換一次 } last += (char) iArr[i4]; } return last; } ``` ---- python版 ```python= def orginfo_decode(org_base64): bytes = base64.b64decode(org_base64) last = "" i2 = 0 i3 = 1 i4 = 0 for i in range(len(bytes)): by = bytes[i] i5 = i4 % 5 if i5 == 0: if i2 % 2 == 0: i3 = 1 else: i3 = -1 i2 += 1 a = by + 125; b = (by - 110) - ((i5 + 1) * i3) fin = None if b > 127: fin = a else : fin = b last += chr(fin) i4 += 1 return last ``` --- ## 如何驗證自己的函數是對的 - 創一個新的字串丟進去反轉回來 ```java= public static String encode(String a) { byte[] bytes = a.getBytes(); char[] cArr = new char[bytes.length]; for (int i = 0; i < bytes.length; i++) { cArr[i] = (char)(bytes[i] & 255); //有座跟沒做一樣不知道在幹嘛總之被cp到cArr } byte[] iArr = new byte[cArr.length]; int i2 = 0; int i3 = 1; for (int i4 = 0; i4 < cArr.length; i4++) { int i5 = i4 % 5; if (i5 == 0) { //每五次 i3正負換一次 i3 = i2 % 2 == 0 ? 1 : -1; i2++; } if (cArr[i4] >= 127) { iArr[i4] = (byte)(cArr[i4] - 125); } else { iArr[i4] = (byte)((cArr[i4] + 110) + ((i5 + 1) * i3)); //i3每五次 i3正負換一次 } } return Base64.getEncoder().encodeToString(iArr); } ``` ```java= public static void main(String[] args) { System.out.println(decode(encode("test"))); } ``` ---- ## 總code ```java= package testjava; import java.util.Base64; public class Test { public static String encode(String a) { byte[] bytes = a.getBytes(); char[] cArr = new char[bytes.length]; for (int i = 0; i < bytes.length; i++) { cArr[i] = (char)(bytes[i] & 255); //有座跟沒做一樣不知道在幹嘛總之被cp到cArr } byte[] iArr = new byte[cArr.length]; int i2 = 0; int i3 = 1; for (int i4 = 0; i4 < cArr.length; i4++) { int i5 = i4 % 5; if (i5 == 0) { //每五次 i3正負換一次 i3 = i2 % 2 == 0 ? 1 : -1; i2++; } if (cArr[i4] >= 127) { iArr[i4] = (byte)(cArr[i4] - 125); } else { iArr[i4] = (byte)((cArr[i4] + 110) + ((i5 + 1) * i3)); //i3每五次 i3正負換一次 } } return Base64.getEncoder().encodeToString(iArr); } public static String decode(String dd) { byte[] decodedString = Base64.getDecoder().decode(dd); byte[] bytes = decodedString; char[] cArr = new char[bytes.length]; for (int i = 0; i < bytes.length; i++) { cArr[i] = (char)(bytes[i] & 255); //有座跟沒做一樣不知道在幹嘛總之被cp到cArr } int[] iArr = new int[cArr.length]; String last = new String(); int i2 = 0; int i3 = 1; for (int i4 = 0; i4 < cArr.length; i4++) { int i5 = i4 % 5; if (i5 == 0) { //每五次 i3正負換一次 i3 = i2 % 2 == 0 ? 1 : -1; i2++; } int a = cArr[i4] + 125; int b = (cArr[i4] - 110) - ((i5 + 1) * i3); if (b >= 127) { iArr[i4] = a; } else { iArr[i4] = b; //i3每五次 i3正負換一次 } last += (char) iArr[i4]; } return last; } public static void main(String[] args) { String test_string = "6pLU4eDWz8rTzZGqk6OloKCgoKCRnJPT49aOpYzM3t3a1aLR0d/L0tuSnZTk4s3X093okqujn4/V2dDYkaqTp6GdmpzJscOzkaTEop6cmpnO0d/W5dzVz8nK3dTj4dzRy6GYmZ2g0KKjnZybmpmfnaKirKOZn8uboZ3X2NnTmdHQz9WopKfZnp+izcjW3+DZ39KOl4zd3tvW4JWnjt7Z1tTk2dvh1I7om56jqaemp6acnXdz"; System.out.println(decode(test_string)); System.out.println(decode(encode("test"))); } } ``` --- - 那麼把剛剛的封包丟進來試試看 ![](https://i.imgur.com/SsVmAXt.png) ## 那麼我們成功解析app - 這樣才能開始攻擊(SQL注入等)